Biometrics for Authentication: The Risks and Potential Rewards

In the last ten years, biometric technology has morphed from something Hollywood villains use to secure their secret dungeons to something almost everyone has in their pocket. But while adoption of biometric security has seen explosive success, misconceptions about biometric authentication are still very common. Let's take a look at how secure biometrics really are, and how you can avoid some costly mistakes!

Why Do We Use Biometric Authentication?

As many security professionals have demonstrated, password based authentication is fundamentally flawed because of people. People forget, reuse and share their passwords. And that only matters if the chosen password is secure in the first place. So, biometric technology seems like an amazing alternative. Biometric traits are unique, unforgettable and can't easily be shared. Also, everyone shares a similar complexity in their traits, e.g. there are no "weak" fingerprints. On top of all that, using biometrics is super easy. Just a swipe of the finger or a glance at your phone can provide the needed authentication.

However, these features primarily speak to the usability of biometric authentication, but less to its security. Most people associate biometrics with security based on a decades long image painted by movies, where everything that needs to be really secure is locked behind a finger, face, voice or hand scanner. But once you step back and think about it, some of the flaws become blatantly obvious. Take Touch ID for example. Everytime you touch your phone, you imprint the key onto its surface. Imagine a desktop PC pasted with sticky notes of your password…

Disadvantages of Biometric Authentication

Biometric technologies suffer from two key problems: First, as discussed above, your "key" can be stolen by anyone in close proximity to you. Second, the "key" is always immutable, meaning that it will not change in your lifetime. This arises from one of the basic requirements for biological traits suitable for biometric authentication: Permanence. You don't want your fingerprint to change every year, because then you will not be able to unlock your phone. This is a requirement and curse at the same time, because what happens if your biometric trait is stolen? You won't be able to replace it with a new version. This can be especially risky if a database of biometric records is hacked and stolen.

A notable example for this is the federal Office of Personnel Management: They manage an enormous database of at least 20 million federal employees fingerprints. Unfortunately, the system was hacked and some (about 5.6 million records according to their own estimate) of this data is now stolen. Imagine your company uses fingerprint scanners at your building's entries. A hacker only needs to purchase the fingerprint of one employee online to compromise security.

Even if you are not worried about being compromised this way, because let's say you have only given your fingerprint to trustworthy services, there is another major risk: photos. The German Chaos Computer Club (CCC) demonstrated that its possible to extract someone's fingerprint from a regular, high-resolution photo in sufficient quality to fool some tested fingerprint scanners. This can be especially dangerous for companies and governments alike, who usually have high-resolution photos of their most prominent figures already available to the public.

These issues are not exclusive to fingerprint authentication either; they are based on the two fundamental problems outlined above and affect any biometric trait to a certain degree.

Mitigation and the Future of Biometrics

Luckily, research has not been idling when it comes to biometric security, and there are a few mitigations available for these problems. To secure your biometric databases, you can deploy something called cancelable biometric templates, which renders the information stored unusable for an attacker. It is similar to encrypting the biometric data, but you don't have to decrypt the information to use it, which would open up another point of attack.

Instead, imagine it like putting a distorted lens over the scanner (actually, this all happens digitally). You store the distorted image, and it is only useful if you use the same distorted lens to take the scan it will be compared to. Without the distorted lens, an attacker can not recreate the original scan, and the information is useless. In case of a breach, you only need to re-distort the data. This is very similar in concept to hashing passwords, but still does not protect against targeted, physical attempts to steal the information, however it makes large-scale attacks like on the Office of Personnel Management unfeasible.

Now, even if your fingerprint is stolen, you could still use a scanner so advanced that it can't be fooled by an imitation of you. Imagine a scanner that checks pulse, skin conductivity, sweat, and so on and so forth. The whole discussion about biometric security comes down to an arms race between a scanners ability to detect imitations and the attackers ability to produce good fakes. Unfortunately, this tech is rather rare, costly and not yet ready for mainstream deployment, so be aware that fingerprint and iris scanners, in phones for example, usually do not provide adequate protection against fakes. But if you need to secure, for example, a server room- your best bet may be to invest in some really high quality biometric scanning devices.

Why You Should Still Deploy Biometric Authentication

Despite all this, biometrics still have a place in security because security is all about the trade off. In the case of biometrics, you trade increased usability for some security. But against our intuition, this can still result in a system that is more secure overall when deployed in tandem with other authentication methods. That’s because stress on the user is relieved; they can focus on a few high-risk passwords for their most important tasks and be reasonably confident that no one can just unlock their device in a few seconds (without preparation).

Combining different authentication methods is key in securing your business. Hackers will always take the path of least resistance – faking biometric traits can be expensive and time-consuming. Large-scale attacks against your employees passwords could be more feasible and quicker to execute, so be sure to use the strengths of multiple factors to augment each other. If you use biometrics initially and then secure the most sensitive actions with a password, attacks have just become exponentially more costly. That is because biometrics force an attacker to use a targeted approach, and passwords can be most easily broken when used in large numbers (high chances for weak passwords). Because an attacker has to focus on a few targets to even reach the password query, the attack has become incredibly hard although both factors by themselves are not that secure.

There are also other, more versatile ways of utilising this phenomenon, most notably Okta’s Adaptive Multi-Factor Authentication. Make sure to check it out so you can always get the most security from your available resources.